University of Minnesota

In August 2021, the University of Minnesota experienced a data breach involving its **Legacy Data Warehouse**, where unauthorized third parties accessed or acquired personal information of individuals associated with the university from **1989 to August 2021**. The compromised data included records of **prospective students, current/former students, employees, and program participants**, potentially exposing their sensitive details on the dark web. The breach led to a **$5 million class-action settlement**, with affected individuals eligible for a **$30 cash payout and 24 months of dark web monitoring**. The university denied negligence but settled to avoid prolonged litigation. The incident highlighted failures in safeguarding long-term stored data, impacting **decades’ worth of personal records** and prompting legal repercussions. The settlement fund covers administrative costs, attorney fees (up to **$1.67M**), service awards, and claimant payouts, with distributions expected **105 days post-final court approval (January 2026)**. The breach underscored vulnerabilities in legacy systems and the far-reaching consequences of historical data exposure.

Source: https://www.claimdepot.com/settlements/university-of-minnesota-5m-data-breach-settlement

TPRM report: https://www.rankiteo.com/company/university-of-minnesota

"id": "uni5693656101625",
"linkid": "university-of-minnesota",
"type": "Breach",
"date": "6/1989",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Students, employees, and '
                                              'program participants from 1989 '
                                              'to August 2021',
                        'industry': 'Higher Education',
                        'location': 'Minnesota, USA',
                        'name': 'Regents of the University of Minnesota',
                        'type': 'Educational Institution'}],
 'customer_advisories': ['$30 cash payment and 24 months of dark web '
                         'monitoring offered to affected individuals'],
 'data_breach': {'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High (includes personally '
                                        'identifiable information)',
                 'type_of_data_compromised': ['Personal Information']},
 'date_detected': '2021-08-10',
 'date_publicly_disclosed': '2023-09',
 'description': 'Unauthorized third parties accessed or obtained personal data '
                'from the University of Minnesota’s Legacy Data Warehouse in '
                'August 2021, potentially affecting students, employees, and '
                'program participants from 1989 through August 2021. The '
                'breach led to a $5 million class action settlement, offering '
                'affected individuals a $30 cash payment and 24 months of dark '
                'web monitoring. Personal data may have been posted on the '
                'dark web.',
 'impact': {'brand_reputation_impact': 'Negative (class action lawsuit and '
                                       'public disclosure)',
            'data_compromised': True,
            'financial_loss': '$5,000,000 (settlement fund)',
            'identity_theft_risk': 'High (personal data exposed, dark web '
                                   'monitoring offered)',
            'legal_liabilities': "$5,000,000 settlement, attorneys' fees up to "
                                 '$1,666,666.67',
            'systems_affected': ['Legacy Data Warehouse']},
 'initial_access_broker': {'data_sold_on_dark_web': True,
                           'entry_point': ['Legacy Data Warehouse'],
                           'high_value_targets': ['Personal data of students, '
                                                  'employees, and program '
                                                  'participants (1989–2021)']},
 'investigation_status': 'Settled (class action lawsuit resolved)',
 'post_incident_analysis': {'corrective_actions': ['$5 million settlement fund',
                                                   'Dark web monitoring for '
                                                   'affected individuals'],
                            'root_causes': ['Failure to adequately protect '
                                            'personal information in Legacy '
                                            'Data Warehouse']},
 'ransomware': {'data_exfiltration': True},
 'references': [{'source': 'Class Action Settlement Notice'},
                {'source': 'Kroll Settlement Administration LLC'}],
 'regulatory_compliance': {'legal_actions': ['Class action lawsuit settled for '
                                             '$5 million']},
 'response': {'communication_strategy': ['Direct notices sent to affected '
                                         'individuals in September 2023',
                                         'Public settlement claim process'],
              'recovery_measures': ['$5 million settlement fund for affected '
                                    'individuals'],
              'third_party_assistance': ['Kroll Settlement Administration LLC '
                                         '(settlement administration)']},
 'stakeholder_advisories': ['Direct notices to affected individuals (September '
                            '2023)',
                            'Public settlement claim process'],
 'threat_actor': 'Unauthorized third parties',
 'title': 'University of Minnesota Legacy Data Warehouse Data Breach (August '
          '2021)',
 'type': ['Data Breach', 'Class Action Lawsuit']}